How to Use Short Basis : Trapdoors for Hard Lattices and new Cryptographic Constructions

Transcription

1 Presentation Article presentation, for the ENS Lattice Based Crypto Workgroup 30 September 2009 How to Use Short Basis : Trapdoors for Craig Gentry Chris Peikert Vinod Vaikuntanathan

2 Previous Trapdoors Using Lattice Z q m S d Short error vector e A Z q n m m n f A e =Ae Z q n Syndrome u Hard to invert? Yes : finding a short solution e to Ae=u ( ISIS for a random u, SIS for u=0 and e<>0) Trapdoor? Yes : A short basis for the lattice ={e Z m / Ae=0 mod q}

3 Previous Trapdoors Using Lattice Trapdoor : Reducing the point modulo a short basis But...

4 Previous Trapdoors Using Lattice : information leakage Inverting enough random points reveal the trapdoor basis Randomization?

5 Avoiding information A solution leakage?? If the domain is big enough, we may sample random preimage without revealing the basis

6 Avoiding information leakage! [Sec 3,4] D, s,c : Discrete Gaussian distribution on the lattice With deviation s and center c Randomized version of the nearest plane algorithm

7 Preimage Sampleable Functions [Sec 5] Previous algorithm can be used to construct a new cryptographic primitive : A collection of one-way Preimage Sampleable Functions (PSFs) - Generation of a function with a trapdoor - Uniform output for a given input distribution - Preimage sampleable with trapdoor (following conditional distribution) - One-wayness without trapdoor That are also collision resistant without the trapdoor (and have many preimage, high min-entropy)

8 Tightly secure FDH signature scheme [Sec 6] Reduction to One-wayness f Random oracle Need to guess on which digest the Attacker will choose Reduction Signing oracle Attacker Q hash loss with generic trapdoor permutation (provable) Q sign loss with RSA (provable) Reduction to Collision Resistance (with high min-entropy) f Random oracle Reduction Signing oracle Attacker Tight Reduction

9 Another Trapdoor using LWE [Sec 7,8] The Learning With Error problem also yield to trapdoor functions A Z q n m m n Secret Public Alice e D Z m, r n u Ae Z q u= f A e Z q Bob s Z n, x D Z m, p A T m s x Z q p= f ' A s, x Z m q Common secret k A =e T p k B =u T s k A k B =e T p u T s=e T A T s x Ae T s =e T A T s e T x Ae T s=e T x k A k B C r m With overwhelming probability

10 Two dual cryptosystems (1) [Sec 8] Public key cryptosystem for a single-bit message b (let B = b [q/2]) Encryption Alice e D Z m, r Bob sk=s Z n, x D Key Generation u Ae Z n pk= p A T s x k A =e T p k B =u T s Decryption c= u,c=b k A B'=B k B Variant of the cryptosystem from [Reg05]

11 Two dual cryptosystems (2) [Sec 7] Public key cryptosystem for a single-bit message b (let B = b [q/2]) Key Generation Alice Bob sk=e D Z m, r s Z n q, x D Z m, n pk=u Ae Z q p A T m s x Z q Encryption Decryption k A =e T p B'=c 2 k A k B =u T s c= p,c=k B B

12 IBE Construction [Sec 7,8] Secret Public Alice e D Z m, r n u Ae Z q u= f A e A short basis for the lattice Bob s Z n, x D Z m, p A T m s x Z q p= f ' A s, x gives a trapdoor for those two functions! The common matrix A generation must be trusted. f A Surjective, not injective f ' A Injective, not surjective (image exponentially sparse) Identity based Encryption System (secure in the Random Oracle Model)